Hi I have claimed the package myself now. I think the conclusion will be that all are minor issues and the package do not need an update. But we will see when I have gone through all the CVEs.
// Ola On Sun, 10 Mar 2024 at 23:26, Ola Lundqvist <o...@inguza.com> wrote: > Hi > > This time I have a question about the package tinymce. It is also in > dla-needed but I'm not sure why. > > I can see that there are a few CVEs that do not have the no-dsa mark. So > far I understand and based on that it should be part of dla-needed. However > if you look more closely, you can see that all those CVEs are of "cross > site scripting" nature and when you look at the rest of the issues in that > list there are many more with the same type of issue and then marked as > no-dsa. > > If I would have triaged this package as front-desk I would have marked the > rest the same with the reasoning that there are anyway so many of the same > type so it does not help to fix a few others. > > So my question is: > - Should those CVEs that are not no-dsa today be marked as no-dsa and in > that case the package to be removed from dla-needed? > or > - Should the XSS type issues already be marked as no-dsa in fact have the > no-dsa tag removed and we should fix them as well? > > Cheers > > // Ola > > -- > --- Inguza Technology AB --- MSc in Information Technology ---- > | o...@inguza.com o...@debian.org | > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > --------------------------------------------------------------- > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
